What to store in a JWT?

session cookies jwt
17,406

The JWT RFC establishes three classes of claims:

  • Registered claims like sub, iss, exp or nbf

  • Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list

  • Private claims to use in your own context and values can collision

None of these claims are mandatory

A JWT is self-contained and should avoid use the server session providing the necessary data to perform the authentication (no need of server storage and database access). Therefore, role info can be included in JWT.

When using several devices there are several reasons to revoke tokens before expiration, for example when user changes password, permissions or account deleted by admin. In this case you would need a blacklist or an alternative mechanism to reject the tokens

A blacklist can include the token unique ID jti or simply set an entry (sub - iss) after updating critical data on user (password, persmissions, etc) and currentTime - maxExpiryTime < last iss. The entry can be discarded when currentTime - maxExpiryTime > last_modified (no more non-expired tokens sent).

Registered Claims

The following Claim Names are registered in the IANA "JSON Web Token Claims" registry established by Section 10.1.

  • iss (issuer): identifies the principal that issued the JWT.
  • sub (subject): identifies the principal that is the subject of the JWT. Must be unique
  • aud (audience): identifies the recipients that the JWT is intended for (array of strings/uri)
  • exp (expiration time): identifies the expiration time (UTC Unix) after which you must no longer accept this token. It should be after the issued-at time.
  • nbf(not before): identifies the UTC Unix time before which the JWT must not be accepted
  • iat (issued at): identifies the UTC Unix time at which the JWT was issued
  • jti (JWT ID): provides a unique identifier for the JWT.

Example

{
    "iss": "stackoverflow",
    "sub": "joe",
    "aud": ["all"],
    "iat": 1300819370,
    "exp": 1300819380,
    "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301"
    "context": {
        "user": {
            "key": "joe",
            "displayName": "Joe Smith"
        },
        "roles":["admin","finaluser"]
    }
}

See alternatives here https://stackoverflow.com/a/37520125/6371459

Share:
17,406
user1164937
Author by

user1164937

Updated on June 01, 2022

Comments

  • user1164937
    user1164937 about 2 years

    How do you guys deal with the same user on multiple devices? Won't data such as {admin: true} become stale except for the device that changed it?

    Should this even be in a JWT? If not, and we resort to only putting the user ID, won't that be just like a cookie-based session since we store the state on the server?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Significant differences between Cookies and JWT for native mobile apps
Configuring session cookies in Weblogic
How to make JWT cookie authentication in Laravel
How to reuse php curl response cookie and bypass login steps on the script's subsequent executions?
How can I put a cookie in Jersey RESTful webservice?
Difference between setcookie() and session_set_cookie_params() functions
session id cookie in gwt rpc
Spring RestTemplate session
Access session cookie in scrapy spiders
PHPSESSID not being saved to cookie